SiYuan 3.5.8 and earlier: Unauthenticated Attack via Malicious Icon Link

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.1

SiYuan 3.5.8 and earlier: Unauthenticated Attack via Malicious Icon Link

CVE-2026-29183 GHSA-6865-qjcf-286f GHSA-6865-qjcf-286f

Summary

SiYuan users are at risk of having their sensitive data stolen or manipulated if they click on a malicious link. This can happen because a weakness in the system's icon display allows hackers to inject code that can bypass security checks. To protect yourself, update to the latest version of SiYuan, which fixes this issue.

What to do

Update github.com siyuan-note to version 0.0.0-20260304034809-d68bd5a79391.
Update siyuan-note github.com/siyuan-note/siyuan/kernel to version 0.0.0-20260304034809-d68bd5a79391.

Affected software

Vendor	Product	Affected versions	Fix available
github.com	siyuan-note	<= 0.0.0-20260304034809-d68bd5a79391	0.0.0-20260304034809-d68bd5a79391
siyuan-note	github.com/siyuan-note/siyuan/kernel	<= 0.0.0-20260304034809-d68bd5a79391	0.0.0-20260304034809-d68bd5a79391
b3log	siyuan	<= 3.5.9	–

Original title

Original description

SiYuan is a personal knowledge management system. Prior to version 3.5.9, an unauthenticated reflected XSS vulnerability exists in the dynamic icon API endpoint "GET /api/icon/getDynamicIcon" when type=8, attacker-controlled content is embedded into SVG output without escaping. Because the endpoint is unauthenticated and returns image/svg+xml, a crafted URL can inject executable SVG/HTML event handlers (for example onerror) and run JavaScript in the SiYuan web origin. This can be chained to perform authenticated API actions and exfiltrate sensitive data when a logged-in user opens the malicious link. This issue has been patched in version 3.5.9.

nvd CVSS3.1 9.3

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026